Rockwell Automation products using GoAhead Web Server

1. EXECUTIVE SUMMARY

• CVSS v3 9.8 *ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• **Equipment:**Products using GoAhead Web Server
• Vulnerabilities: Infinite Loop, Use after Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could have a high impact on the confidentiality, integrity, and availability of the vulnerable devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports the following products use a version of GoAhead web server vulnerable to both CVE-2019-5096 and CVE-2019-5097:

• 1732E-8CFGM8R/A: firmware version 1.012
• 1732E-IF4M12R/A (discontinued): firmware version 1.012
• 1732E-IR4IM12R/A: firmware version 1.012
• 1732E-IT4IM12R/A: firmware version 1.012
• 1732E-OF4M12R/A: firmware version 1.012
• 1732E-OB8M8SR/A: firmware version 1.013
• 1732E-IB8M8SOER: firmware version 1.012
• 1732E-8IOLM12R: firmware version 2.011
• 1747-AENTR: firmware version 2.002
• 1769-AENTR: firmware version 1.001
• 5069-AEN2TR: firmware version 3.011
• 1756-EN2TR/C: firmware versions up to and including 11.001
• 1756-EN2T/D: firmware versions up to and including 11.001
• 1756-EN2TSC/B (discontinued): firmware version 10.01
• 1756-EN2TSC/B: firmware version 10.01
• 1756-HIST1G/A (discontinued): firmware versions up to and including 3.054
• 1756-HIST2G/A(discontinued): firmware versions up to and including 3.054
• 1756-HIST2G/B: firmware versions up to and including 5.103

Rockwell Automation reports the following products use a version of GoAhead web server vulnerable to CVE-2019-5097:

• ControlLogix 5580 controllers: firmware version V28 – V32
• GuardLogix 5580 controllers: firmware version V31 – V32
• CompactLogix 5380 controllers: firmware version V28 – V32
• Compact GuardLogix 5380 controllers: firmware version V31 – V32
• CompactLogix 5480 controllers: firmware version V32
• 1756- EN2T/D: firmware version 11.001
• 1756-EN2TR/C: firmware version 11.001
• 1765 – EN3TR/B: firmware version 11.001
• 1756-EN2F/C: firmware version 11.001
• 1756-EN2TP/A: firmware version 11.001.

3.2 VULNERABILITY OVERVIEW

3.2.1 INFINITE LOOP CWE-835

A denial-of-service vulnerability exists in the GoAhead web server. To exploit this vulnerability, a malicious user could send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could crash.

CVE-2019-5097 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 USE AFTER FREE CWE-416

A critical vulnerability exists in how the web server processes requests. If exploited, a malicious user could leverage this vulnerability to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.

CVE-2019-5096 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported to CISA that the devices listed may use a version of GoAhead web server with publicly known vulnerabilities.

4. MITIGATIONS

Rockwell Automation recommends users apply the latest version of firmware when possible:

• 1769-AENTR: Update to 1.003 or later
• 5069-AEN2TR (discontinued): Migrate to the 5069-AENTR.
• 1756-EN2T/D: Update to 11.002 or later
• 1756-EN2T/D: Update to 11.002 or later
• 1756-EN2TR/C: Update to 11.002 or later
• 1756-EN2F/C: Update to 11.002 or later
• 1756-EN2TP/A: Update to 11.002 or later
• 1756-HIST1G/A (discontinued): Update to series B v5.104 or C 7.100 or later
• 1756-HIST2G/A (discontinued): Update to series B v5.104 or C 7.100 or later
• 1756-HIST2G/B: Update to 5.104 or later
• 1756-EN2F/C: Update to 11.002 or later
• ControlLogix 5580 controllers: Update to V32.016 or later
• GuardLogix 5580 controllers: Update to V32.016 or later
• CompactLogix 5380 controllers: Update to V32.016 or later
• Compact GuardLogix 5380 controllers: Update to V32.016 or later
• CompactLogix 5480: Update to V32.016 or later

If updating firmware is not possible or updated firmware is unavailable, Rockwell Automation recommends the following compensating controls to minimize vulnerability risk:

• Disable the web server if possible. Review the corresponding product user manual for instructions, which can be found in the Rockwell Automation literature library.
  • For 1732E, upgrade to the latest firmware to disable the web server.
• Configure firewalls to disallow network communication through HTTP/Port 80.

See the Rockwell Automation Knowledgebase article, Security Best Practices, for more recommendations to maintain security posture of an environment

Users should see the Rockwell Automation security advisory for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.